question

MorrisHendricks-3829 avatar image
0 Votes"
MorrisHendricks-3829 asked vipulsparsh-MSFT answered

Microsoft Endpoint Manager Sign-in Logs

My name is Morris Hendricks I am the systems administrator for our Cyber school and I am trying to understand the log files in Microsoft Endpoint Manager / users / Sign-in logs. Here is what the problem is I can get to the logs and in reviewing them some of the end user data is fine and I can see that they are logging in from the correct area. other users show discrepancy's like they are logging from where they are supposed to be then all of a sudden the log an entry way out of wack to where there at then goes back to where they are located again. Then some of the log files show just out of the ordinary Sign-in events I understand most of the obvious ones (like out side the US) but I cannot figure out a lot of them. My CEO is asking me questions that I need clarification and any help would be greatly appreciated.

azure-ad-sign-in-logs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@MorrisHendricks-3829 Thanks for reaching out.

In order to sort the legitimate ones, you need to sort it down with actual user login and any application (non-interactive logins) for that user account and then match it with the place the user is in currently.

For example, if the user is in Atlanta, all the users based logic should come from that place. But if there is any application which also does that on behalf of that user account may be MS 1st party apps like Office 365 , exchange, check if the IP which are listed are coming from Non microsoft data center IP. those are the ones you should investigate.

This is how it will look like in real logs. For examples, for user system administrator in my portal I see various logins from my location and IP address in India but few of them have different IPs in US for some applications.

143379-image.png


If you check that IP address which is from US, you will find that it is one of the Microsoft registered IP address which is used by different MS products which are safe to ignore.

143316-image.png


In a similar way you can figure out the rest, let me know if you need any help also let me know if you have any other scenarios as well.



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.



image.png (25.5 KiB)
image.png (151.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.